I’m very interested in your boot time with the latest version (I uploaded yesterday)?
Software can’t fix DDoS in general. GP does some mitigation at the Minecraft login level, which works for many cases where the group running the attack doesn’t have enough juice to completely overload the lower end of the network stack. Real DDoS attacks kill the server by overloading it with very low level connections - way below the level GP, CraftBukkit, Sponge, or even the OS can really police. The only effective solution to DDoS is very specialized (and very expensive) hardware, often beyond that which datacenters make available.
Take the specific example of several connection attempts from the same IP in a small interval. Yes GP could do that and it would help for small groups of “bots” run by the same player, assuming they all connect close together. But if the griefer is running a really big bot net, the hardware will be too overloaded to even get that information up to GP for processing.
Anyway, I think you’ll agree that a DoS is rather a low-power grief. Sure the server is unavailable for a while, but when the bot resources are reallocated to something else or when the attacker gets bored and moves on, the server comes back online and it’s exactly the way it was before it went offline - unlike a grief that happens in-game and leaves a permanent mark (like stealing from a chest or breaking down a build).
GP already does two things here - first, a single account can’t log in more than once per 2 minutes. That’s enough to shut down even a large bot net pretty quick. Second, GP will prevent join/leave messages from appearing in the chat too frequently, so players can continue to use the chat even when players are rapidly logging in and out. Put the two together, and login/logout spam is a minor problem that disappears after a moment.
Of course, if the traffic is so high that your hardware can’t handle it, everybody loses connection to the server and you’re out of service until the traffic slows down again. For that hardware level attack, there’s nothing any software (GP included) can do.
Yes, for the occasional server which wants to say, allow spam or theft, that is true. But I think it’s better to ask the rare cases to edit a config file than to require the common cases to download additional plugins. What you say about performance and bells and whistles is true in principle, but in the case of GP, the balance is very well implemented. I’m happy to discuss it further with you if you disagree, but you’ll have to get into specifics about GP to make a case.